diff --git a/CheckBufferOverrun.cpp b/CheckBufferOverrun.cpp index 179ddf161..bc1ebb420 100644 --- a/CheckBufferOverrun.cpp +++ b/CheckBufferOverrun.cpp @@ -133,8 +133,24 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope( const TOKEN *tok, c } - // memset, memcmp, memcpy, strncpy, fgets.. - if (TOKEN::Match(tok,"memset|memcpy|memmove|memcmp|strncpy|fgets") ) + // memset, memcmp, memcpy, strncpy, fgets.. + if ( varid > 0 ) + { + if ( TOKEN::Match(tok, "memset|memcpy|memmove|memcmp|strncpy|fgets") ) + { + if ( TOKEN::Match( tok->next(), "( %varid% , %num% , %num% )", 0, 0, varid ) || + TOKEN::Match( tok->next(), "( %var% , %varid% , %num% )", 0, 0, varid ) ) + { + const char *num = tok->strAt(6); + if ( atoi(num) > total_size ) + { + ReportError(tok, "Buffer overrun"); + } + } + continue; + } + } + else if (TOKEN::Match(tok,"memset|memcpy|memmove|memcmp|strncpy|fgets") ) { if ( TOKEN::Match( tok->next(), "( %var1% , %num% , %num% )", varname ) || TOKEN::Match( tok->next(), "( %var% , %var1% , %num% )", varname ) ) diff --git a/testbufferoverrun.cpp b/testbufferoverrun.cpp index 1e1ece674..18d46e139 100644 --- a/testbufferoverrun.cpp +++ b/testbufferoverrun.cpp @@ -83,7 +83,8 @@ private: TEST_CASE( buffer_overrun_1 ); TEST_CASE( buffer_overrun_2 ); - TEST_CASE( varid1 ); + TEST_CASE( varid1 ); + TEST_CASE( varid2 ); } @@ -373,6 +374,21 @@ private: ASSERT_EQUALS( std::string(""), errout.str() ); } + + void varid2() + { + check( "void foo()\n" + "{\n" + " char str[10];\n" + " if (str[0])\n" + " {\n" + " char str[50];\n" + " memset(str,0,50);\n" + " }\n" + "}\n" ); + ASSERT_EQUALS( std::string(""), errout.str() ); + } + };